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(57) ABSTRACT 

A device for secured access to applications of a chip card 
executes instructioiis that provide iuformation on the rights 
for accessing the chip card with respect to a software compo- 
nent or a hardware action performed in the chip card. For 
each new software component and at each new hardware 
action, a register of the microprocessor of the chip card 
stores a specific code for checking the authorized nature of 
the operations performed by the new software component or 
hardware action for accessing the memory of the chip card. 

38 Claims, 1 Drawing Sheet 
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SECURED ACCESS DEVICE WITH CHIP group of appUcations dedicated to a single chip card func- 

^ CARD APPLICATIONS ^^n are the only apphcations to be loaded into the chip card. 

. ^j^p ^gjj permanently limited in terms of 

available applications. The risk that a new application might 
FIELD OF THE INVENTION 5 disturb the operation of previous applications was therefore 

not as great. 

Tlie present invention relates to a secured access device coexistence of apphcations of different kinds in the 

for chip card applications. More specifically, the mvention ^^^^ ^ cQTt^ number of problems. For 

relates to a device for secured access to chip card appUca- example a software architecture simultaneously containing 
tions that uses instructions that have been performed m the ^ application dedicated to the assessment of a customer's 
chip card which, at each instant, provide mformaUon on ^ gasoline company and a standard banking appU- 

rights for accessing the memory of the chip card, the soft- ^^-^^^ ^^^^ ^^^^ 3 g^^^t j^^y ^sed in the banking 
ware component, or the hardware operation that has been appUcation cannot be read during the use of the appUcation 
performed in tlie chip card. associated with tiie gasoline company. 

BACKGROUND OF THE INVENTION SUMMARY OF THE INVENTION 

The most common type of chip card has a microprocessor It is an object of the present invention to overcome the 

that manages a program memory. The program memory is - problems that have just been described, 

usually dedicated to a single application or a set of applica- a device is provided that enables the management of dif- 
tions loaded at the same time into the chip card. When sev- 20 f^^^ software apphcations that are installed, possibly at 

eral apphcations are loaded into a chip card, they have a different times, or the management of different hardware 

close relationship with one another, and are all designed for events of a chip card while providing high security. Thus, the 

the same type of service. Thus, for example, a chip card device according to the invention offers the possibility of 

caimot simultaneously play the role of a bank card and that detection when the user of an apphcation tries to exceed his 
ofa customer card for another type of business. 25 nghts, for example, by attempting to access data not 

In order to end this situation where each chip card has to intended for the application in question, 

be limited to one type ofapptication, new software architec- To achieve tins objective, the device sets up specific 

tures are being considered. These new software architectures instructions internal to the microprocessor of the chip card, 

are making use oftiie development of standardized program- xhese specific instructions are call instructions and return 

ming languages which resolve the problems of portability, instructions. These call and return instructions are associated 

such as the programming language JAVA, for example. with specific registers for dete rminin g whether the opera- 

HG. 1 is a simplified view of a software architecture of tions performed by the application are authorized, 

the chip cards that are now being developed. The architec- The invention therefore pertains to a device for accessing 

ture shown in FIG. 1 includes, in particular, a first part 110 applications of a chip card comprising a microprocessor 

that corresponds to the software architecture and a second associated with an operating system working with a set of 

part 120 that corresponds to the apphcations part of the soft- instructions, a program memory, and one or more apphca- 

ware architecture for the chip card 100. The system part 110 fions in a memory of the chip card, 

is essentially formed by a hbrary of programs 112 for the j^q device comprises a register oftiie microprocessor to 

operating system of the chip card, an interfece 114 to man- store a code on several check bits proper to an entity brought 

age the interactions with the microprocessor or the different ^\^y Also included are a call instmction, and an instruc- 

memories of the chip card, and a space for the management ^qj^ for the return of the set of instructions to instantaneously 

of hardware interruptions 116. and automaticahy update the register durir^ the action by a 

The apphcations part 120 of tiie software architecture . -new entity. The device fiirther hicludes a checking device for 

includes different applications, such as a first, second and 45 checking, as a fiinction oftiie check bits, whetiier access to 

third main apphcation, respectively 122, 124 and 126, and a the zones or address location of Uie memory of tiie chip card 

first, second and tiiird additional application, respectively by the new entity that is called or comes into action in tiie 

121, 123 and 125. The main apphcations 122, 124 and 126 chip card is authorized. A first link transmits the check bits 

are written in a programming language that can be directiy from the microprocessor to the checking device, 

understood by the processor of tiie chip card. 50 According to a particular embodiment of the device oftiie 

The additional applications 121, 123 and 125 are typically invention, each new entity bemg executed is activated at a 

applications encoded in a standardized language. These predefined address of a read only memory (ROM) of tiie 

applicationsmay be added at any point in time to the system chip card. Accordmg to difierent embodiments of tiie 

part 110. In FIG. 1, tiie additional applications 121, 123 and invention, tiie entity operating in tiie chip card may be an 

125 depend directly on tiie first main apphcation 122. The 55 appUcation oftiie one or more applications or a hardware 

first main application 122 herein serves as an interpreter event, or tiie operating system associated witii tiie micropro- 

between the additional apphcations and the operating system cessor of the chip card. : 

by converting tiie codes oftiie additional applications into a DESCRIPTION OF THE DRAWINGS 

machine language tiiat can be understood by tiie programs of ar^± ^ ^ . 

tiie operating system 112. 60 The various aspects and advantages of tiie mvention shall 
The software architecture tiiat has just been described is appear more clearly hereinafter in the foUowing descnphon 
more complex tiian tiie one currently existing in chip cards made witii reference to tiie appended figures which are given 
in circulaU\)n. The architecture described assumes ttiat it is purely by way of an indication and m no way restoct tiie 
possible to add applications in a standardized programming scope oftiie mvention, and which are now mtroduced: 
language, possibly after tiie chip card is put into circulation. « FIG. 1 is a simpUfied block diagram ofa softwaj-e archi- 
ll is tiierefore more complicated to achieve a satisfactory tecture for tiie chip cards currentiy bemg developed accord- 
level of security compared to when a single application or a ing to tiie prior art; and 



us 6,776,346 Bl 



FIG. 2 is a block diagram illustrating the principle of 
operation for the execution of an application within a chip 
card according to the present invention. A microprocessor ' 
200 manages the set of operations for a plurality of applica- 
tions 210 of the chip card 100. 

DETAILED DESCRIPTION OF THE PREFERRED 
EMBODIMENTS 

A two-way bus 250 exchanges infonnation betweai the 
microprocessor 200 and any application of the plurality of 
applications 210-212. The information exchanged may be 
data .elements, addresses or control instructions. An access 
controller to the memory 220 exchanges information with 
the microprocessor 200 using a link 230, which conveys a 
control signal between the microprocessor 200 and the con- 
troller providing access to the memory 220. 

When an entity such as the application 211, for example, 
requires the intervention of another entity, such as an appU- 
cation 212, it sends a call instruction DCALL using the two- 
way bus 250 followed by a designation of the entity called 
md a parameter enabhng the nature of the call to be deter- 
mined. According to the invention, a register R is updated 
during such calls. A certain number of bits of the register R 
then assume a value associated with the called entity. The 
register R is therefore a hardware component of the micro- 
processor 200 used to store a code proper to the entity of the 
software architecture that is being performed, and to control 
its field of execution. 

Furthermore, the device according to the invention may 
also take into account instructions known as hardware 
instructions, such as resetting type instructions, for example. 
Instructions knoun as hardware instructions are events that 
may occur in real time and generate interruptions in the 
miaoprocessor of the chip card. This type of event is man- 
aged by the device in the same way as the software instruc- 
tions. The bits of the register R take a very precise value 
appropriate to each real-time event affecting the chip card, 
thus limiting and controlling the rights pertaining to these 
events. 

The information given by the register R is thus capable of 
checkir^ information on the identification of the zone of the 
software architecture c'ohcemed by the application being 
executed. This information is checked at the microprocessor 
or at any other entity external to the software architecture. 
The information given by the register R enables the 
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When the current application has completed execution, a 
return instruction DRET is executed by the microprocessor 
and the data elements contained n the second register CS 
enable a return to the application that was being performed 
previously and had been activated by a call instruction 
DCALL. The register R is also updated. 

The second register CS cannot be directly accessed by the 
appUcations of the chip card. This is to ensure the integrity 
of the device when it is put into operation during the execu- 
tion of a return mstruction DRET. When the execution of the 
current application is finished, the bits of the register R 
assume a value specific to the application that was being 
performed previously, restoring its rights and limits in terms 
of memory access. The memory zone access device accord- 
mg to the invention gives a high level of security in terms of 
access to the different zones of the memory for a software 
architecture such as the one shown in FIG. 1. 

What is claimed is: 

1 . A chip card comprising : 

a microprocessor including an operating system working 
with a set of instructions, said microprocessor compris- 
ing a first register for storing a multibit identification 
code identifying an entity to be executed, the set of 
instructions including a call instruction for calling 
based upon the multibit identification code a new entity 
to be executed, and for updating said first register dur- 
ing execution of the new entity by storing therein a first 
label associated with the entity being executed; 

a memory connected to said microprocessor for storing a 
plurality of application programs; 

a first link connected to said microprocessor for transmit- 
ting the multibit identification code; and 

a checking device connected to said first hnk for receiving 
the multibit identification code, and for checking 
whether access to locations in said memory is autho- 
rized for the new entity by comparing the first label 
with a second label, the second label being associated 
with the plurality of application programs in said 
memory or with the locations in said memory, and the 
second label also being used for initiating readiag of 
one of said plurality of application programs thereiiL 

2. A chip card according to claim 1, wherein the set of 
instructions further includes a return instruction; and 



±iic miuiiiiaLiuii givt-u. u-iv iv^^ajlv^a j.v ijuau u^uiuiia luiti-i^i h x^*,****^ ^^^w. , ^ 

checking of the zone of the memory of the chip card in 45 wherein said microprocessor comprises a second register 

which the application is permitted to be accessed. Thus, any and loads the multibit identification code from said first reg- 

user attempting to make fraudulent use of file operating sys- ister to said second register when the call instruction is 

tern in order to recover data pertaining to a particular appli- executed, and at a same time the return iostruction causes the 

cation is refused access to this data. The bits of the state contents of said second register to be loaded into said first 

register m this case are different from the bits that might 50 register 



correspond to a call instruction DCALL of the particular 
application iu question. 

The addresses to be accessed and the bits of the register R 
sent by the microprocessor via link 230 are compared with 
each otiier in the access controller of the memory 220. If the 
addresses of the memory to be accessed are not addresses 
belonging to the autiiorized field of tiie last application hav- 
ing performed a call instruction DCALL, then information 
on illegal access to the memory is prohibited. 

The device according to the invention thus provides great 
security in tlie sense tiiat data elements intended for one 
application cannot be used by another application. A second 
register CS makes it possible to retain in memory a code 
proper to the applications that were active at the last call 
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3. A chip card according to claim 2, wherein said second 
register caonot be directiy accessed. 

4. A chip card according to claim 1, wherein the new 
entity to be executed is one of the plurality of application 
programs. 

5. A chip card according to claim 1, wherein the new 
entity to be executed causes a hardware event. 

6. A chip card accordiog to claim 5,' wherein the hardware 
event resets said microprocessor. 

7. A chip card according to claim 1, wherein the set of 
instructions further includes a return instruction; and 
wherein said first roister is updated in response to tiie return 
instmction. 

8. A chip card according to claim 1, wherein said checking 



instruction DCALL sent by the current application, namely 65 device provides a control signal to said microprocessor for 
those that are to be performed following the current appUca- * providing access to the locations m said memory if the new 
tiQn entity to be executed is authorized. 
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9. A chip card according to claim 1, wherein the plurality 
of application programs are written in a standardized lan- 
guage. 

10, A chip card comprising : 

a miaoprocessor including an operating system working 5 
with a set of instructions including a call instruction 
and a return instruction, said microprocessor compris- 

a first roister for storing a multibit identification code 
identifying an application program entity to be 
executed, the call instruction for calling based upon 
the multibit identification code a new application 
program to be executed, and for updating said first 
register during execution of the new application pro- 
gram by storing therein a first label associated with 
the application program being executed, and 
a second register for loading the multibit identification 
code firom said first register to said second register 
when the caU instruction is executed, and at a same 
time the return instruction causes the contents of said 
second register to be loaded into said first register, 
a memory connected to said microprocessor for storing a 

plurality of apphcation programs; and 
a checking device connected to said miaoprocessor for 
receiving the multibit identification code, and for ^5 
checking whether access to locations in said memory is 
authorized for the new apphcation program by compar- 
ing the first label with a second label, the second label 
being associated with the pluraUty of application pro- 
grams in said memory or with the locations in said 
memory, and the second label also being used for initi- 
ating reading of one of said plurality of apphcation pro- 
grams therein. 

11. A chip card according to claim 10, wherein said sec- 
ond register cannot be directly accessed. 35 

12. A chip card according to claim 10, whereia each apph- 
cation program causes a hardwareevent. 

13. A chip card according to claim 12, wherein the hard- 
ware event resets said microprocessor. 

14. A chip card according to claim 10, wherein said first 
register is automatically updated in response to the return 
instruction. 

15. A chip card according to claim 10, whereia said 
checking device provides a control signal to said micropro- 
cessor for providing access to the locations in said memory 
if the new application program to be executed is authorized. 

16. A method for securing access to a chip card compris- 
ing a microprocessor including an operating systeru working 
with a set of instructions including a caU instruction, and a 
memory connected to the microprocessor for storing a plu- 
rality of apphcation programs, the method comprising: 

storing a multibit identification code in a first register 
identifying an entity to be executed; 

calling a new entity to be executed based upon the multibit 
identification code stored in the first register; 55 

updating the first register during execution of the new 
entity by storing therein a first label associated with the 
entity being executed; and 

transmitting the multibit identification code firom the 
microprocessor to a checldng device, and checking 60 
whether access to locations in the memory is authorized 
for the new entity by comparing the first label with a 
second label, the second label being associated with the 
plurahty of apphcation programs in the memory or with 
the locations in the memory, and the second label also 65 
being used for reading one of the plurahty of applica- 
tion programs therein. 



17. A method according to claun 16, wherein the set of 
instructions further includes a return instruction; and 
wherein the microprocessor comprises a second register and 
loads the multibit identification code fi-om the first register to 
the second register when the call instruction is executed, and 
at a same time the return instruction causes the contents of 
the second register to be loaded into the first register. 

18. A method according to claim 17, wherein the second 
register cannot be directiy accessed. 

19. A method according to claim 16, wherein the new 
entity to be executed is one of the plurality of apphcation 
programs. 

20. A method accordmg to claim 16, wherem the new 
entity to be executed causes a hardware event. 

21. A method according to claim 20, wherein the hard- 
ware event resets the microprocessor. 

22. A method according to claim 16, wherein the set of 
instructions further includes a return instruction; and 
wherem the first register is updated in response to the return 
instruction. 

23. A method according to claim 16, wherein the checking 
comprises providing a control signal to the microprocessor 
for providing access to the locations in the memory if tiie 
new entity to be executed is authorized. 

24. A method according to claim 16, wherein the plurality 
of application programs are written in a standardized lan- 

25. A method for securing access to a chip card compris- 
ing a microprocessor and a memory connected thereto for 
storing a plurality of apphcation programs, the microproces- 
sor including an operating system working with a set of 
instructions including a call instruction and a return 
mstruction, the method comprising: 

storing a multibit identification code in a first register for 

identifying an apphcation program to be executed; 
caUing a new apphcation program to be executed based 

upon the multibit identification code; 
updating the first register during execution of the new 
apphcation program by storing therein a first label asso- 
ciated with the application program being executed; 
loading the multibit identification code firom the fh-st reg- 
ister to a second register when the caU instruction is 
executed, and at a same time tiie return instruction 
causes the contents of the second register to be loaded 
into the first register; and 
transmitting the multibit identification code fi-om the 
microprocessor to a checking device for checking 
whether access to locations m the memory is authorized 
for the new apphcation program by comparing the first 
label with a second label, the second label being associ- 
ated with the plurahty of application programs in the 
memory or with the locations in the memory, and the 
second label also being used for initiating readmg of 
one of the plurahty of apphcation programs therein. 

26. A method accordmg to claun 25, wherein tiie second 
register cannot be duectiy accessed. 

27. A method according to claim 25, wherem each apph- 
cation program causes a hardware event. 

28. A method according to claun 27, wherein the hard- 
ware event resets the microprocessor. 

29. A method accordmg to claim 25, wherein the first 
register is updated in response to the return instruction. 

30. A metiiod according to clann 25, wherein checking 
comprises providing a control signal to the microprocessor 
for providmg access to tiie locations of the memory if the 
new apphcation program is authorized. 
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11 AchincardcomDrisina- while said second application program is being executed; 

fmfcroS,SJir! ' sad first register also being updated based upon the first 

a memory connected to said microprocessor for stormg a code. ^ according to claim 32, wherein after said 

pluraUty of appUcation programs; ... microprocessor executes said second application program, 

said microprocessor compnsmg a first register tor stormg ^ register enables said microprocessor to return to 

a first code, on at least one check bit, correspondu^ to a application program. 

first application program to be executed fi-om said plu- ^ according to claim 32, wherein said sec- 

rality of application programs; ond register cannot be direcUy accessed. 

if execution of said first application program requu'es 35 ^^u^ according to claim 31, wherein said first 
intervention of a second application program fi-om said 10 second application prograiiis are written in a standard- 

■ plurality of application programs, then said first appli- j^gd language, 
cation program sends a call instruction to said micro- 26. A chip card according to claim 35, wherein said firet 

processor requesting such intervention; and second application programs are loaded into said 

said first register being updated based upon the call memory after the chip card has been abricated. 
instruction for storing a second code, on the at least one i5 37 . a chip card according to claim 31, \ wherem said 

check bit, corresponding to said second application checking device provides a control signal to said micropro- 

progiam to be executed; and cessor for providing access to the locations of said memory 

a checking device comiected to said microprocessor for if said second appUcation program is authorized^ 
checkii^ the second code as to whether access to loca- 38. A chip card accordmg to ^M4;-^7j«f "^^'^^ 
Sons in said memory are authorized for said second checking device compares the address locations to be 
apphcation program. - accessed in said memory with the second code m said first 

32. A chip card "according to claim 31, wherein said register, 
microprocessor comprises a second register for storing the ^ 
first code corresponding to said first application program * * * 



